By Sonia Hickey: Sydney Criminal Lawyers Blog
Just quietly over the past couple of months, with the rest of Australia conveniently distracted by the COVID-19 pandemic, the Federal Government has introduced draft legislation with a view to creating what it calls a ‘trusted digital identity’.
Perhaps with a view to deflecting accusations of a lack of accountability, Morrison and his cohorts formally invited public feedback on the proposal – although that invitation had an abridged timeframe and came with virtually no publicity.
This ‘consultation process’ is now over, and the draft Trusted Digital Identity Bill 2021 (Cth) will go through Parliament sometime in the coming months.
What is a ‘National Identity System’?
The legislation proposes to create what is known as a ‘National Digital Identity System’.
The official Government website claims this identity “helps you prove who you are when you want to access services online” by providing a single point of access which means a person does not need to establish their identity over a number of different government platforms.
The website emphasises convenience and accessing of services, promising, as in the past, that user data will be kept safe and secure – something we know that the Australian Government doesn’t have a strong track record in.
Government’s appalling track record in technology projects
Time and again, expensive national information technology projects have failed, and user data has been hacked or otherwise leaked due to poor security measures.
The most recent Federal Government write-off has been the CovidSafe app which, despite its promises, proved to be virtually useless despite costing tens of millions of taxpayer dollars.
The government’s technology schemes have, without exception, been the subject of large numbers of breaches, without anyone in government being accountable for these.
The breaches have included dozens of the My Health Record scheme, the meta data retention scheme and even the 2016 national Census – resulting in the government reverting back to a paper Census.
Currently, a person can create a digital identity using a “myGovID” to access a number of government services.
This service allows facilitates access to data across Government agencies like Medicare, Centrelink and the Australian Tax Office.
Expanding the scheme
The new draft legislation proposes an expansion of powers in order to outsource the process of identity verification to approved Australian businesses. This would be done by linking your MyGov account and proof of ID (such as a passport, birth certificate or driver licence) to an identity provider.
The proposal enables any Australian business to apply to join the “Trusted Digital Identity Framework” to become an identity accreditor. A Government agency will be established to oversee these accreditations, and to govern how data will be handled in the scheme.
With a public that has been largely complacent for many years over the loss of freedoms and legal safeguards, and the increasing powers of government, there are concerns this new proposed legislation is just the latest step in the move towards an all-powerful surveillance state – whereby the privacy of individuals is superseded by pervasive surveillance and monitoring.
Just recently, both houses of Federal Parliament passed the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 which gives law enforcement authorities extraordinarily intrusive and concerning powers to hack, alter and take over the online accounts of citizens.
With this latest proposed Bill, our nation is now one whereby the surveillance powers of government are far in excess of any other Western ‘democracy’ – raising concerns about whether we are moving towards the levels of authoritarianism and control of countries like China – where citizens are constantly monitored and even given social ratings which determine their levels of ‘freedom’.
Cyber fraud, Identity theft and data breaches
Another concern is over the safety of personal data, given that under the new scheme a cyber-criminal may only need to hack one database to have access to several linked to any particular individual.
Since the ‘explosion’ of the internet, cyber security and IT experts have warned repeatedly that individuals should never link personal information online, should keep passwords separate, should change passwords often and update security settings regularly.
As both governments and businesses push more services online, rather than face-to-face, the idea of one single identity (without the need to keep plugging in login details and remembering passwords) sounds tempting. But it is a considerable risk. Cyber crimes such as fraud and identity theft are on the rise, across the globe.
Remember the Facebook data scandal in 2018 when a company called Cambridge Analytica harvested the data of about 50 million users to send personalised political advertisements with a view to influencing the recent US election?
Facebook shares plummeted tand the social media giant was forced to face the backlash. It remained defiant that Facebook had not notified users of the unauthorised use of their data, pointing out that users had voluntarily provided the information to the platform.
Since then, people are more aware about checking apps and social media updates to ensure they have the right security settings in place to share only data they want to. But it is still a problem. British Comedian Michael McIntyre once famously joked that he’s never read Apple’s terms and conditions, and he’s a bit concerned that one day the company’s executives will knock at his door and he’ll find out he agreed to hand over his house!
It’s funny, but it’s not. Most of us don’t read terms and conditions and even if we did, it’s unlikely that without an IT degree or a law degree we would understand the full implications of them anyway. With technology changing so quickly, in some cases there are not adequate protections in the law, even though it aims to keep up with these advancements.
That said, the ‘datafication’ of society is well underway. It is not something we can ignore, nor can we continue to blindly stumble through it, unaware of our rights and responsibilities in the online space.
Datafication has been supercharged by the Covid-19 pandemic, which forced people into lockdown, and to undertake even more activities online than ever before.
While at this stage the Federal Government says the proposed digital identity system will be voluntary, who knows where it may lead?
Not enough safeguards in the proposal
It is not clear how the Government will ensure the complete trustworthiness of the businesses that can apply to be identification verifiers, who it is understood, will store the data.
And this also presents a problem. If the Government was solely managing this, then it would be clear ‘where the buck stops’ if there’s an error in the system, but with multiple third-parties involved, it has the potential to dilute accountability. Experts say that the legislation in its current form does not have sufficient safeguards around third-party access to the data and onselling the data either.
The experts also warn that the system effectively creates a situation where Australians will (should they choose to) hand over their data, and the control of that data, to the Government.
This might seem like technological advancement, but it is really just another nail in the coffin for democracy. People should be encouraged to, and empowered to, govern their own personal information, just as many generations have before.
If the future means that Governments will invest in harnessing the use of technology to store this information, then they need to ensure that people are appropriately educated and informed, so they can manage their own personal information and make decisions about it with confidence.
What’s more, the government needs to ensure equitable access to these technologies, so that no one gets left behind.